← 返回 Skills 市场
456
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install paddle
功能描述
Integrate Paddle payments with subscriptions, webhooks, checkout, and tax compliance.
安全使用建议
This skill's content appears to be a legitimate Paddle integration, but there are important inconsistencies you should resolve before installing or allowing an agent to use it autonomously:
- Confirm environment variables: The docs use PADDLE_API_KEY and PADDLE_WEBHOOK_SECRET but the registry lists none. Require that the developer (or you) declare these env vars explicitly and keep keys in environment variables or a secure vault — do not store secrets in ~/paddle/memory.md.
- Review local storage: The skill writes to ~/paddle/. Inspect that directory and the memory.md file format to ensure no plaintext secrets are saved. If you allow the agent to create files there, restrict their contents and file permissions.
- Limit code access: The guidance to 'observe their code' could cause the agent to read unrelated source files. If you want the agent to inspect only specific repos or paths, enforce that constraint before use.
- Verify webhook handling: Ensure webhook verification uses the webhook secret and timing-safe comparison as shown. Test only in sandbox until you confirm behavior.
- Be cautious with CLI installs: The docs suggest installing the Paddle CLI (npm). Only run such installs from trusted sources and in controlled environments (sandbox/container) if you plan to follow that step.
If you need higher assurance, ask the skill author to (1) list required env vars and binaries in the registry metadata, (2) explicitly state that memory.md will never contain secrets, and (3) narrow any instructions that read the user's codebase to specific, documented paths. If those clarifications are not available, treat the skill as suspicious and use it only in a constrained sandbox environment.
功能分析
Type: OpenClaw Skill
Name: paddle
Version: 1.0.0
The OpenClaw AgentSkills skill bundle for Paddle integration is benign. It provides comprehensive documentation and code examples for integrating Paddle payments, with a strong emphasis on security best practices. Key indicators include explicit instructions for the agent to 'Always Use Sandbox First' and 'Verify Webhook Signatures' (SKILL.md, webhooks.md), secure handling of API keys via environment variables, and correct implementation of webhook signature verification using constant-time comparison (webhooks.md). The skill transparently outlines data handling, stating what data is sent to Paddle (expected for a payment processor) and what remains local. There is no evidence of malicious intent, unauthorized data exfiltration, persistence mechanisms, or prompt injection designed to subvert the agent for harmful purposes. The suggested `npm install -g @paddle/paddle-cli` command in `webhooks.md` is for a legitimate development tool and is presented transparently for its stated purpose of webhook testing.
能力评估
Purpose & Capability
The name/description (Paddle payments, subscriptions, webhooks, checkout, tax) matches the provided docs and examples. However, the skill references sensitive runtime items (PADDLE_API_KEY, PADDLE_WEBHOOK_SECRET) and the Paddle CLI, yet the registry metadata lists no required environment variables or binaries — this mismatch is unexpected and should be clarified.
Instruction Scope
Runtime docs instruct the agent to read/write local memory in ~/paddle/, to save integration state, and contain guidance like 'observe their code, don't interrogate' which implicitly encourages the agent to inspect the user's codebase; the skill does not enumerate what filesystem paths are allowed. The docs also give examples that reference environment variables (PADDLE_API_KEY, PADDLE_WEBHOOK_SECRET) and recommend installing the Paddle CLI via npm, but the instructions do not explicitly constrain file or repo access — this broad scope could let the agent read unrelated files or accidentally store secrets in plain memory.
Install Mechanism
There is no install spec (instruction-only), which is lower risk, but the documentation recommends running npm install -g @paddle/paddle-cli for webhook testing. The lack of declared required binaries yet recommending a global npm install is an inconsistency the user should expect to resolve manually.
Credentials
Registry metadata declares no required environment variables, but api.md and webhooks.md clearly show use of PADDLE_API_KEY and PADDLE_WEBHOOK_SECRET. The architecture and memory references are inconsistent: some files imply API keys live in environment variables, other places show memory.md containing 'API keys, environment, product IDs'. This ambiguity is a security concern — secrets must be minimised, stored in env vars or secure vaults, and never written to a plaintext memory file.
Persistence & Privilege
The skill persists integration state under ~/paddle/ (memory.md and webhooks.md). Persisting local integration metadata is reasonable for this purpose, and always:false means it won't be force-included. Still, the guidelines should explicitly forbid storing secrets in that persisted memory file; currently the files contain mixed guidance about where keys live.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install paddle - 安装完成后,直接呼叫该 Skill 的名称或使用
/paddle触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release with API reference, webhook handling, and checkout integration.
元数据
常见问题
Paddle 是什么?
Integrate Paddle payments with subscriptions, webhooks, checkout, and tax compliance. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 456 次。
如何安装 Paddle?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install paddle」即可一键安装,无需额外配置。
Paddle 是免费的吗?
是的,Paddle 完全免费(开源免费),可自由下载、安装和使用。
Paddle 支持哪些平台?
Paddle 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin, win32)。
谁开发了 Paddle?
由 Iván(@ivangdavila)开发并维护,当前版本 v1.0.0。
推荐 Skills